BIND version 9.10

Summary

BIND (Berkeley Internet Name Domain) version 9.10 is the latest stable major update of the widely used DNS server. Besides new features, some settings defaults have changed since the previous major version (9.9).

Current status

Detailed Description

New features

New zone file format, "map", stores zone data in a format that can be mapped directly into memory, allowing significantly faster zone loading.

New tool "delv" (domain entity lookup and validation) with dig-like semantics for looking up DNS data and performing internal DNSSEC validation has been added.

New "prefetch" option improving the recursive resolver performance has been added.

Improved EDNS processing allowing better resolver performance.

Substantial improvements have been made in response-policy zone (RPZ) performance.

ACLs can now be specified based on geographic location using the MaxMind GeoIP databases.

The statistics channel can now provide data in JSON format as well as XML.

The new "in-view" zone option allows zone data to be shared between views, so that multiple views can serve the same zones authoritatively without storing multiple copies in memory.

Native PKCS#11 API has been added. This allows BIND 9 cryptography functions to use the PKCS#11 API natively, so that BIND can drive a cryptographic hardware service module (HSM) directly instead of using a modified OpenSSL as an intermediary (Native PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM version 2 from the Open DNSSEC project.).

New tool "named-rrchecker" can be used to check the syntax of individual resource records, and optionally to convert them to the format used for unknown record types.

New tool "dnssec-importkey" allows "offline" DNSSEC keys (i.e., keys whose private data is not stored on the system on which named is running) to be published or deleted on schedule using automatic DNSKEY management.

Network interfaces are re-scanned automatically whenever they change. Use "automatic-interface-scan no;" to disable this feature.

Added "rndc scan" to trigger an interface scan manually.

New "max-zone-ttl" option enforces maximum TTLs for zones. If loading a zone containing a higher TTL, the load fails. DDNS updates with higher TTLs are accepted but the TTL is truncated.

Multiple DLZ databases can now be configured, and are searched in order to find one that can answer an incoming query.

"named-checkzone" and "named-compilezone" can now read journal files.

Feature changes

The version 3 XML schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is no longer optional. The version 2 XML schema is now deprecated.

"named" now listens on IPv6 as well as IPv4 interfaces by default.

The internal and export versions of the BIND libraries (libisc, libdns, etc) have been unified so that external library clients can use the same libraries as BIND itself.

The default setting for the -U option (setting the number of UDP listeners per interface) has been adjusted to improve performance.

Adaptive mutex locks are now used on systems which support them.

"rndc flushtree" now flushes matching records from the address database and bad cache as well as the DNS cache. (Previously only the DNS cache was flushed.)

The isc_bitstring API is no longer used and has been removed from the libisc library.

The timestamps included in RRSIG records can now be read as integers indicating the number of seconds since the UNIX epoch, in addition to being read as formatted dates in YYYYMMDDHHMMSS format.

Benefit to Fedora

Fedora will include the latest major version of popular DNS server with latest features.

Owner of this feature is co-maintainer of all dependent packages. He will do the necessary rebuilds himself in cooperation with dependent packages owners.

Release engineering: no work required

Policies and guidelines: no change required

Upgrade/compatibility impact

Users' manually compiled applications not distributed in Fedora using libraries distributed with BIND package will need to be rebuilt.

The Change possibly impacts the Fedora Server product. The Server WG member Stephen Gallagher is a co-owner of this change to prevent possible issues.

How To Test

No special hardware is required.

Users should have some existing named configuration working with the previous version (9.9).

Upgrade the package to the lastest 9.10 version available for Fedora 22.

Test the named behaviour with the previously used configuration.

named behaviour did not change except from the changes listed in BIND 9.10 RELEASE NOTES.

User Experience

Some default settings changed and are noted on this Change page. The aim for the change is to be not disruptive for users. The Change will be coordinated with the Server WG to prevent possible impact on the Fedora Server product.

Dependencies

Fedora Server product depends on BIND.

Contingency Plan

Contingency mechanism: Keep the 9.9 version of BIND

Contingency deadline: As given by the F22 Schedule

Blocks release? No

Blocks product? Fedora Server

Documentation

Everything is already noted in the Detailed Description.

Release Notes

New Major version of BIND DNS server is available

Important feature changes:

The version 3 XML schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is no longer optional. The version 2 XML schema is now deprecated.

"named" now listens on IPv6 as well as IPv4 interfaces by default.

The internal and export versions of the BIND libraries (libisc, libdns, etc) have been unified so that external library clients can use the same libraries as BIND itself.

The default setting for the -U option (setting the number of UDP listeners per interface) has been adjusted to improve performance.

Adaptive mutex locks are now used on systems which support them.

"rndc flushtree" now flushes matching records from the address database and bad cache as well as the DNS cache. (Previously only the DNS cache was flushed.)

The isc_bitstring API is no longer used and has been removed from the libisc library.

The timestamps included in RRSIG records can now be read as integers indicating the number of seconds since the UNIX epoch, in addition to being read as formatted dates in YYYYMMDDHHMMSS format.